Almost two thirds of APIs vulnerable to data breaches

More than 60 per cent of web services, or mobile app APIs have at least one high-risk vulnerability, which can potentially lead to a compromised database. Those are the results of a new and comprehensive report by High-Tech Bridge, summing up the trends in web security for the past six months.

The report also says that in case a website is vulnerable to cross-site scripting (XSS), it is also vulnerable to other critical flaws, in at least 35 per cent of cases. Other vulnerabilities include SQL injection, XXE or improper access control.

When it comes to HTTPS encryption, 23 per cent of websites still use deprecated SSLv3 protocols, mostly in the UK, US, Germany, France and Russia. A stunning 97 per cent of sites are still using the unsecure TLS 1.0 protocol, restricted by PCI DSS from June 2018.

The report says that just 0.43 per cent are vulnerable to Heartbleed, but almost a quarter (23 per cent) are still vulnerable to POODLE.

“The easiest and fastest to hack, insecure web applications are becoming the major threat across the Internet,” says Ilia Kolochenko, CEO and founder of High-Tech Bridge.

“Aggravated by weak web server configuration and unreliable SSL/TLS encryption, vulnerable web applications are actively exploited by cybercriminals to conduct APTs against multinationals and governments, as well as to extort ransom from individuals or SMBs.”

Domains with .com and .org in the top level are the most common among fraudulent domains, while the US, Poland and Singapore remain the most popular countries for hosting such sites.